Monthly Archives: February 2006

Wikipedia defines a parasite as “an organism that spends a significant portion of its life in… a host organism… without immediately killing it.”

Phishers host their web sites using a number of methods (free hosting, shared hosting with stolen credit card, hacked servers, etc) but a common and growing method occurs when phishers take advantage of insecure web applications that allow them to upload their phishing site to run as a part of another site. In this mode, a phishing site acts as a parasite to an existing host.

Here’s the flow:

Phisher learns about a vulnerability to a downloadable web application (this means a web app you can run on your own server). For example, older versions of Simple PHP Blog (insecure versions are still available on SourceForge) have an image file upload vulnerability. This allows remote users to upload arbitrary files to the hosting server.

Phisher searches for sites running the version of the vulnerable application. Many web apps have keyword strings that make it easy to find hosts running that version. I’m won’t go into details, but think “powered by…”.

Phisher finds targets, exploits the vulnerability, and uploads their own code to the server. The phishing site is then accessible to the outside world without raising any flags on the compromised host. The web application will generally continue to function normally.

Wash, rinse, repeat.

Why would a phisher want to run their site as a parasite to another host instead of as a standalone? At least three reason:

Cheap – no fake credit card data is needed, and no goofy ads forced on their sites by free web hosts.

Harder to Detect – some anti-phishing tools (not ScamAlarm) look at how long a given domain has existed as a clue to its phishiness. Running as a parasite can make your phishing site look old and legitimate (and sometimes even popular). The phisher can also avoid displaying an IP address as its host name.

Harder to Block – Blocklist providers have to block at the URL or partial URL level, not at the host level. You don’t want to kill the host when you’re trying to kill the parasite.

I don’t mean to pick on Simple PHP Blog. Any number of other applications (blogs and photo galleries especially) are similarly vulnerable. The SPB author quickly patched the vulnerability once it was discovered. The problem is that many people downloaded and installed the older version and have never updated it.